Ditch the Triangle and use more technology

| 3 Comments | No TrackBacks
| More

Big Data might be the big thing this year, but it's just one step in the evolution of enterprise information systems. Each year they become more powerful. As do the capabilities of their users. Forget the 'least privilege' principle. It's only Data Protection law that limits what they can access.

Such a landscape can no longer be policed by humans and procedures. Technology is needed to leverage security controls. The Golden Triangle of people, process and technology needs to be rebalanced in favour of automation. And I'm speaking as a pioneer and highly experienced expert in process and human factors.

You may wonder where the Triangle originated. Contrary to popular opinion it was not invented by Bruce Schneier. I can't help you before 1990, which is when I first encountered it in Shell. At that time it was being used in operational research circles. 

I first used it in 1991 to help balance the content of the Shell baseline security controls, the forerunner of BS7799 and ISO 27002. Back then we wanted to embed procedures to support ISO 9000 adoption. We also wanted to place more on user awareness. We sought in fact a perfect balance of controls for people, process and technology.

Today I'd ditch the Triangle. It's become an argument against excessive focus on technology. Yet that's what we now need. There's nowhere near enough exploitation of technology in our security controls. We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures.

What's needed to correct the balance? The answer lies in the use of 'Big Data' analysis engines, scalable Cloud services and artificial life intelligence. These technologies are available now but our usage of them is still in its infancy. Ten years ago I experimented with data mining and computational immunology. They worked but it was a major challenge to maintain a positive business case. Funding dried up as the gloss wore off the digital revolution.

It's now time to get serious with technology and develop the automated solutions needed to meet today's challenges. Policy and education measures might get you through an audit but they won't stop an advanced persistent threat.   

Enhanced by Zemanta

No TrackBacks

TrackBack URL: http://www.computerweekly.com/cgi-bin/mt-tb.cgi/47564

3 Comments

"There's nowhere near enough exploitation of technology in our security controls. We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures."

Isn't it amazing that we build computer systems that allow people to select passwords like "password1" and then we spend hundreds of hours trying to tell the users not to?

I would also add that Mr. Lacey, perhaps due to time and/or space constraints, limits his treatment of the solution to “ the use of ‘Big Data’ analysis engines, scalable Cloud services and artificial life intelligence,” without first recognizing a critical dependency: Technological controls need to talk to one another using a common set of languages and protocols. If we’re really going to go after a wide and deep solution, it seems that getting the fundamentals of what we want to describe in an automated manner defined in a dynamically updatable way is required first. -- https://stoicsecurity.com/2013/01/30/rebalance-the-golden-triad-of-people-process-and-technology/#more-349

The triangle is like the proverbial three-legged stool – no two or one can stand alone. The focus should be on technology to carry out the implementation of policies and procedures instead of people. But you still need all three.

Leave a comment

About this Entry

This page contains a single entry by David Lacey published on January 20, 2013 5:39 PM.

A poem for Christmas and New Year was the previous entry in this blog.

Big Data means Big Security is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Archives

 

-- Advertisement --